Over the last few years, the general populous has encountered the proliferation of malicious software (sometimes referred to as “malware”) over the Internet. Malware has many forms including exploits, namely information that attempts to take advantage of a vulnerability in software that is loaded onto an electronic device in order to adversely influence or attack operations of that electronic device. Despite repeated efforts by detection systems and software patches to address software vulnerabilities, malware continues to evade and infect electronic devices worldwide.
There are several techniques known for detecting, analyzing, and responding to threats. Existing cloud-based threat intelligence collects and aggregates data from different local sensors and performs analysis on the collected data to determine if there is a threat. The result of the analysis, which is typically a blacklist of known threats (e.g., domains, files, users, etc.), may be transmitted from the cloud-based threat intelligence to the local sensors for further action. However, as advanced threats or targeted attacks become more localized (e.g., targeting certain geo-locations, certain groups of people, certain industries, etc.), a cloud-based threat intelligence may not be sensitive to detect a local attack. Existing local-only threat intelligence do not typically take as input results of global intelligence which leads to many false positives.
There have been techniques for profiling the behavior of an individual entity (e.g., user, machine, service, etc.) and monitoring that entity for anomalous behavior. However, behavior profiling on an individual entity has sensitivity and accuracy problems due to the dynamic changes of that individual entity that can legitimately occur. Traditional behavior profiling and detection based on an individual entity behavior can be either too sensitive leading to false positives, or too inaccurate leading to false negatives.